mongo is an interactive JavaScript shell interface to
MongoDB, which provides a powerful interface for system
administrators as well as a way for developers to test queries and
operations directly with the database. mongo also provides
a fully functional JavaScript environment for use with a MongoDB.
The mongo shell is part of the MongoDB distributions.

Note

Starting in version 4.0, mongo disables support for TLS 1.0
encryption on systems where TLS 1.1+ is available. For
more details, see Disable TLS 1.0.

Enables the shell interface. If you invoke the mongo command
and specify a JavaScript file as an argument, or use --eval to
specify JavaScript on the command line, the --shell option
provides the user with a shell prompt after the file finishes executing.

The mongo shell verifies that the hostname (specified
in --host option or the connection string)
matches the SAN (or, if SAN is not present, the CN) in
the certificate presented by the mongod or
mongos. If SAN is present, mongo
does not match against the CN. If the hostname does not match
the SAN (or CN), the mongo shell will fail to
connect.

Specify the connection protocol as mongodb+srv, followed by
the DNS SRV hostname record and any options. The authSource
and replicaSet options, if included in the connection string,
will override any corresponding DNS-configured options set in the
TXT record. Use of the mongodb+srv: connection string
implicitly enables TLS/SSL (normally set with ssl=true) for
the client connection. The TLS/SSL option can be turned off by
setting ssl=false in the query string.

Specifies a password with which to authenticate to a MongoDB database
that uses authentication. Use in conjunction with the --username
and --authenticationDatabase options. To force mongo to
prompt for a password, enter the --password option as the
last option and leave out the argument.

Messages are compressed when both parties enable network
compression. Otherwise, messages between the parties are
uncompressed.

If you specify multiple compressors, then the order in which you list
the compressors matter as well as the communication initiator. For
example, if a mongo shell specifies the following network
compressors zlib,snappy and the mongod specifies
snappy,zlib, messages between mongo shell and
mongod uses zlib.

If the parties do not share at least one common compressor, messages
between the parties are uncompressed. For example, if a
mongo shell specifies the network compressor
zlib and mongod specifies snappy, messages
between mongo shell and mongod are not compressed.

Enables IPv6 support and allows mongo to connect to the
MongoDB instance using an IPv6 network. Prior to MongoDB 3.0, you
had to specify --ipv6 to use IPv6. In MongoDB 3.0 and later, IPv6
is always enabled.

The above command will connect the mongo shell to the
admin database of the MongoDB deployment running on the local machine. You may specify a remote
database instance, with the resolvable hostname or IP address. Separate
the database name from the hostname using a / character. See the
following examples:

The default behavior (when mongo starts without the
--disableJavaScriptProtection flag) is to convert embedded
JavaScript functions to the non-executable MongoDB shell type
Code. The following example demonstrates the default behavior
within the shell:

Specifies a JavaScript file to run and then exit. Generally this should
be the last option specified.

Optional

To specify a JavaScript file to execute and allow
mongo to prompt you for a password using
--password, pass the filename as the first parameter with
--username and --password as the last options, as
in the following:

Enables connection to a mongod or mongos that has
TLS/SSL support enabled.

Starting in version 3.2.6, if --sslCAFile or ssl.CAFile is
not specified, the system-wide CA certificate store will be used
when connecting to an TLS/SSL-enabled server. In previous versions
of MongoDB, the mongo shell exited with an error that
it could not validate the certificate.

Specifies the password to de-crypt the certificate-key file (i.e.
--sslPEMKeyFile). Use the --sslPEMKeyPassword option only if the
certificate-key file is encrypted. In all cases, the mongo will
redact the password from all logging and reporting output.

Specifies the .pem file that contains the root certificate chain
from the Certificate Authority. Specify the file name of the
.pem file using relative or absolute paths.

Starting in version 3.2.6, if --sslCAFile or ssl.CAFile is
not specified, the system-wide CA certificate store will be used
when connecting to an TLS/SSL-enabled server. In previous versions
of MongoDB, the mongo shell exited with an error that
it could not validate the certificate.

Bypasses the validation checks for server certificates and allows
the use of invalid certificates to connect.

Note

Starting in MongoDB 4.0, if you specify
--sslAllowInvalidCertificates or ssl.allowInvalidCertificates:true when using x.509 authentication, an invalid certificate is
only sufficient to establish a TLS/SSL connection but is
insufficient for authentication.

Warning

Although available, avoid using the
--sslAllowInvalidCertificates option if possible. If the use of
--sslAllowInvalidCertificates is necessary, only use the option
on systems where intrusion is not possible.

If the mongo shell (and other
MongoDB Tools) runs with the
--sslAllowInvalidCertificates option, the
mongo shell (and other
MongoDB Tools) will not attempt to validate
the server certificates. This creates a vulnerability to expired
mongod and mongos certificates as
well as to foreign processes posing as valid
mongod or mongos instances. If you
only need to disable the validation of the hostname in the
TLS/SSL certificates, see --sslAllowInvalidHostnames.

mongo will read the .mongorc.js file from the home
directory of the user invoking mongo. In the file, users
can define variables, customize the mongo shell prompt,
or update information that they would like updated every time they
launch a shell. If you use the shell to evaluate a JavaScript file
or expression either on the command line with mongo--eval or
by specifying a .js file to mongo,
mongo will read the .mongorc.js file after the
JavaScript has finished processing.

Global mongorc.js file which the mongo shell
evaluates upon start-up. If a user also has a .mongorc.js
file located in the HOME directory, the mongo
shell evaluates the global /etc/mongorc.js file before
evaluating the user’s .mongorc.js file.

/etc/mongorc.js must have read permission for the user
running the shell. The --norc option for mongo
suppresses only the user’s .mongorc.js file.

On Windows, the global mongorc.js</etc/mongorc.js> exists
in the %ProgramData%\MongoDB directory.

/tmp/mongo_edit<time_t>.js

Created by mongo when editing a file. If the file exists,
mongo will append an integer from 1 to 10 to the
time value to attempt to create a unique file.

%TEMP%mongo_edit<time_t>.js

Created by mongo.exe on Windows when editing a file. If
the file exists, mongo will append an integer from 1
to 10 to the time value to attempt to create a unique file.

To connect to a replica set described using the
DNS Seedlist Connection Format, use the --host option
to specify the connection string to the mongo shell. In
the following example, the DNS configuration resembles: